Categories: Cisco

How to successfully configure Cisco site-to-site IPsec VPN in 5 minutes!

Cisco IPSEC VPN is a must for anyone who desires to manage an enterprise network. I have always faulted the old CCNA curriculum that excluded VPN setup. It meant that many CCNA holders did not have the knowledge of how to configure IPSEC VPN except they went further by studying for the CCNA security. As expected, Cisco has recently realized this and has therefore included IPSEC VPN in the CCNA curriculum, making it a must for aspiring CCNAs. The IPSEC VPN is a technology that allows you to successfully encrypt packets sent from one LAN to the other over the public internet. In this post, I will share with us on how to successfully configure an IPSEC VPN using GNS3.

LAB requirement:

The Cisco 3600 series router running on GNS3.

Network Topology.



Objective to set up IPSEC VPN on R1 and R3 to allow communication between networks and The WAN links between R2 , R1 and R3 are configured for /30. I will start my configuration from R2. In reality, our job will be done on both R1 and R3.


Interface configuration on R2

R2(config)#int f0/0
R2(config-if)#ip add
R2(config-if)#description connection to R1
R2(config-if)#no shut
R2(config-if)#int f0/1
R2(config-if)#ip add
R2(config-if)#description connection to R3
R2(config-if)#no shut

Interface configuration on R1

R1 configuration
R1(config)#int f0/0
R1(config-if)#ip add
R1(config-if)#desc connection to R2
R1(config-if)#no shut
R1(config-if)#int f0/1
R1(config-if)#ip add
R1(config-if)#desc connection to LAN
R1(config-if)#no shut
R1(config)#ip route

IPSEC VPN configuration on R1

First, we need to configure an access-list to match LAN to LAN traffics
R1(config)#ip access-list extended VPN
R1(config-ext-nacl)#permit ip
Then the VPN setup
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#crypto isakmp key TimiGate address (IP address of remote router)
R1(config)#crypto ipsec transform-set TGSET esp-aes esp-sha-hmac
R1(config)#crypto map TGMAP 1 ipsec-isakmp
R1(config-crypto-map)#set peer
R1(config-crypto-map)#set transform-set TGSET
R1(config-crypto-map)#match address VPN
Finally, on R1, we apply the crypto map to the interface connecting to the ISP
R1(config)#int f0/0
R1(config-if)#crypto map TGMAP

On R3

R3 configuration
R3(config)#int f0/0
R3(config-if)#ip add
R3(config-if)#desc connection to R2
R3(config-if)#no shut
R3(config-if)#int f0/1
R3(config-if)#ip add
R3(config-if)#desc connection to LAN
R3(config-if)#no shut
R3(config)#ip route

IPSEC VPN configuration on R3

First, we need to configure an access-list to match LAN to
LAN traffics
R3(config)#ip access-list extended VPN
R3(config-ext-nacl)#permit ip
Then the VPN setup
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#crypto isakmp key TimiGate address (IP address of remote router)
R3(config)#crypto ipsec transform-set TGSET esp-aes esp-sha-hmac
R3(config)#crypto map TGMAP 1 ipsec-isakmp
R3(config-crypto-map)#set peer
R3(config-crypto-map)#set transform-set TGSET
R3(config-crypto-map)#match address VPN
Finally, on R3, we apply the crypto map to the interface
connecting to the ISP
R3(config)#int f0/0
R3(config-if)#crypto map TGMAP


Finally, configure the interfaces on R4 and R5 with IP addresses from their various subnets and try to ping from R4 to R5 or vise versa. If done properly, the pings should be successful even though there are no routes from R2(ISP router) to the LANs. Packets to the LANs will be encrypted and sent via the IPSEC VPN tunnel.
Image showing ping results across ipsec vpn tunnel

We can use the sh crypto ipsec sa command to verify VPN connection.

Image showing established ipsec SA

If you need help building this LAB on GNS3, drop me a comment.


Spread the love

View Comments

  • Hi Sir. Thank you for this very simple demonstration.I just have a little concern on R2(ISP side). How can R1 send packet to R3 without using any routing protocol on R2? Thank you.

    • Aaron, that's the essence of the vpn. I created an access list called vpn. What it does is to allow traffic from the lan on R1 ,going to the lan on R3 to be sent to R3 via the vpn tunnel. If I set up routing on R2,then no need for the vpn cos traffics will be sent through the ISP network (internet) instead of the vpn tunnel.

  • What is the necessary creating acces-list for r1 router and r2 router.Is it working Vpn tunnel Without access-list ,,,

  • Hi , I configured a same lab with diffrent dimensions. But crypto isakmp table showing nothing, can you please help?

    • Check your preshared key and also ensure that the specified IP is that if the remote router.

Recent Posts

Optimize your Metro ethernet with Jumbo MTU

Optimizing Metro Ethernet segments with jumbo MTU (Maximum Transmission Unit) can significantly enhance network performance…

2 months ago

Mikrotik switchOS configuration: a step-by-step guide

MikroTik's SwitchOS is an operating system specifically designed for their line of network switches. It…

3 months ago

Improve your network uptime with VRRP right now

A properly configured VRRP setup does not only track device uptime but also tracks connection…

3 months ago

Have you been configuring NAT the right way on Mikrotik?

Network Address Translation (NAT) is a technique used in networking to map private IP addresses…

3 months ago

Implementing VXLAN over MPLS with Mikrotik

In the ever-evolving landscape of networking technologies, the demand for efficient and scalable solutions has…

3 months ago

Multi-Area OSPF implementation on Mikrotik routers

Setting up Multi-Area OSPF (Open Shortest Path First) on Mikrotik routers involves a few steps.…

3 months ago